Windows Server 2003 Meets the Zombie Apocalypse

Don’t create zombie Windows Server 2003 systems. Running a server with the out-of-support operating system can attract hackers and land small businesses in legal hot water.

Many small and midsized businesses (SMBs) have a danger lurking in their server room can that undermine their best efforts to keep their users and data safe.

Microsoft stopped supporting Windows Server 2003 on July 14. Similar to Windows XP's retirement a year before, this means that the software giant won't issue any more security updates or fix bugs. Effectively businesses running the operating system (OS) are on their own, barring a costly support contract that only major corporations and governments can afford.

A month before the July 14 deadline, Softchoice, an IT managed services provider and consultancy, revealed that many businesses were still running the server software. The company's TechCheck analysis of more than 200 organizations and their 90,000 servers found that 21 percent of those servers were still running Windows Server 2003 during the first half of 2015, a mere 11 percent drop from a year ago. Approximately a third of those organizations are small businesses.

"With less than a month to go until Windows pulls support for Windows Server 2003, it's surprising that there still isn't a greater sense of urgency among organizations to modernize and upgrade their systems," said David Brisbois, senior manager of assessment and technology deployment services consulting at Softchoice, in a statement at the time.

Weeks after the support cut-off, the ancient OS still lingers, according to Chris Woodin, director of Microsoft sales operations at Softchoice. Servers running the software still numbers "in the millions," he told Small Business Computing. "It's actually shocking."

Dangers of Low-Priority Windows Server 2003 Workloads

The good news is that most businesses have already moved their critical business applications to newer versions of Windows Server, said Woodin. "Customers were quick to migrate their core production applications off of Windows Server 2003," he said.

In most environments, Windows Server 2003 systems have been relegated to lower-priority workloads that don't touch sensitive or private information. While those servers are a low priority, they're a high-value target for hackers.

"Because that one particular server running 2003 may not have sensitive data, they assume it's not a security risk," said Woodin of a common misconception among businesses. For hackers, it's not the data that makes those servers valuable. It's the connections to the rest of the network that make them a tempting target.

"If a hacker gets into that server, he can get into other servers that are secure," Woodin warned. Windows Server 2003 is a "gaping hole" into the small business networks, and one that data thieves are itching to exploit.

On the Hunt for Zombies

"Hackers were counting down the days to end-of-support," Woodin said. They marked their calendars betting that companies would not disturb a server or two that was harmlessly toiling away. Judging by Softchoice's findings, hackers have plenty of targets from which to choose.

Woodin suggests that SMBs run a complete assessment of their server environments, a critical step in not only finding instances of Windows Server 2003, but also for drawing up a plan to moving those workloads to a newer OS or to the cloud. An assessment can also help sniff out zombie servers, systems that run severely outdated or useless applications that have gone untouched for years, forgotten amidst IT upgrades and personnel changes.

Apart from the aforementioned security risks, zombie Windows Server 2003 systems can take a lethal bite out of a company's regulatory compliance policies.

"There is almost no vertical left in the U.S. that doesn't have some sort of industry regulation," Woodin reminded. Healthcare companies have the Health Insurance Portability and Accountability Act (HIPAA), for example. "What they all have in common is the expectation that you're running supported operating systems."

Certainly, most businesses likely don't have healthcare or financial records on zombie servers, but those systems still pose a risk. What's often misunderstood, explained Woodin, is that some regulations effectively dictate that "you shouldn't have Windows Server 2003 unsupported anywhere in your [network] environment." If it touches the network, that Windows Server 2003 zombie can not only draw attention from hackers, but also from regulators.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!